@camox/api 0.2.0-alpha.5 → 0.3.0

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@camox/api",
-  "version": "0.2.0-alpha.5",
+  "version": "0.3.0",
   "files": [
     "src"
   ],

package/src/authorization.ts

@@ -2,44 +2,46 @@ import { ORPCError } from "@orpc/server";
 import { and, eq, or } from "drizzle-orm";
 
 import type { Database } from "./db";
-import {
-  member,
-  organizationTable,
-  blocks,
-  files,
-  layouts,
-  pages,
-  projects,
-  repeatableItems,
-} from "./schema";
+import { member, blocks, files, layouts, pages, projects, repeatableItems } from "./schema";
 
-// --- Membership Helpers ---
+// --- Sync Secret ---
 
-export async function assertOrgMembership(db: Database, userId: string, orgSlug: string) {
-  const result = await db
-    .select({ id: member.id })
-    .from(member)
-    .innerJoin(organizationTable, eq(organizationTable.id, member.organizationId))
-    .where(and(eq(organizationTable.slug, orgSlug), eq(member.userId, userId)))
-    .get();
-  if (!result) throw new ORPCError("FORBIDDEN");
+export async function assertSyncSecret(db: Database, projectSlug: string, syncSecret: string) {
+  const project = await db.select().from(projects).where(eq(projects.slug, projectSlug)).get();
+  if (!project) throw new ORPCError("NOT_FOUND");
+
+  if (syncSecret !== project.syncSecret) {
+    throw new ORPCError("UNAUTHORIZED");
+  }
+
+  return project;
 }
 
+// --- Membership Helpers ---
+
 /** Verify user is a member of the org that owns a project (by project ID). */
 async function assertProjectMembership(db: Database, projectId: number, userId: string) {
   const result = await db
     .select({ id: member.id })
     .from(projects)
-    .innerJoin(organizationTable, eq(organizationTable.slug, projects.organizationSlug))
     .innerJoin(
       member,
-      and(eq(member.organizationId, organizationTable.id), eq(member.userId, userId)),
+      and(eq(member.organizationId, projects.organizationId), eq(member.userId, userId)),
     )
     .where(eq(projects.id, projectId))
     .get();
   if (!result) throw new ORPCError("FORBIDDEN");
 }
 
+export async function assertOrgMembership(db: Database, userId: string, orgId: string) {
+  const result = await db
+    .select({ id: member.id })
+    .from(member)
+    .where(and(eq(member.organizationId, orgId), eq(member.userId, userId)))
+    .get();
+  if (!result) throw new ORPCError("FORBIDDEN");
+}
+
 // --- Authorization Helpers ---
 
 export async function getAuthorizedProject(db: Database, projectId: number, userId: string) {

package/src/index.ts

@@ -28,13 +28,7 @@ app.use(
   "*",
   cors({
     origin: (origin) => origin,
-    allowHeaders: [
-      "Content-Type",
-      "Authorization",
-      "Better-Auth-Cookie",
-      "x-sync-secret",
-      "x-environment-name",
-    ],
+    allowHeaders: ["Content-Type", "Authorization", "Better-Auth-Cookie", "x-environment-name"],
     allowMethods: ["POST", "GET", "OPTIONS"],
     exposeHeaders: ["Content-Length", "Set-Better-Auth-Cookie"],
     maxAge: 600,
@@ -44,7 +38,8 @@ app.use(
 
 // Session middleware — populates c.var.user/session
 app.use("*", async (c, next) => {
-  const auth = createAuth(c.var.db, c.env);
+  const url = new URL(c.req.url);
+  const auth = createAuth(c.var.db, c.env, url.origin);
   const session = await auth.api.getSession({ headers: c.req.raw.headers });
 
   if (!session) {
@@ -72,8 +67,18 @@ app.use(
     options: {
       onBeforeConnect: async (req, _lobby, c) => {
         const db = createDb(c.env.DB);
-        const auth = createAuth(db, c.env);
-        const session = await auth.api.getSession({ headers: req.headers });
+        const url = new URL(req.url);
+        const auth = createAuth(db, c.env, url.origin);
+
+        // WebSocket upgrades can't carry custom headers, so the client
+        // sends the cross-domain auth cookie as a query parameter instead.
+        const headers = new Headers(req.headers);
+        const authCookie = url.searchParams.get("_authCookie");
+        if (authCookie) {
+          headers.set("Better-Auth-Cookie", authCookie);
+        }
+
+        const session = await auth.api.getSession({ headers });
         if (!session) return new Response("Unauthorized", { status: 401 });
       },
     },

package/src/orpc.ts

@@ -35,20 +35,6 @@ export const pub = os.$context<BaseContext>().use(async ({ next, path }) => {
   }
 });
 
-/** Sync procedure — requires either a valid session or the x-sync-secret header */
-export const synced = pub.use(async ({ context, next }) => {
-  if (context.user && context.session) {
-    return next({ context });
-  }
-
-  const secret = context.headers.get("x-sync-secret");
-  if (!secret || secret !== context.env.SYNC_SECRET) {
-    throw new ORPCError("UNAUTHORIZED");
-  }
-
-  return next({ context });
-});
-
 /** Authed procedure — requires authenticated user */
 export const authed = pub.use(async ({ context, next }) => {
   if (!context.user || !context.session) {

package/src/routes/auth.ts

@@ -38,13 +38,24 @@ function generateSlug(name: string): string {
   return `${base}-${suffix}`;
 }
 
-export function createAuth(db: Database, env: Bindings) {
+export function createAuth(db: Database, env: Bindings, baseURL: string) {
+  // Derive the cookie domain from SITE_URL so cookies are shared between
+  // the web app (camox.ai) and the API (api.camox.ai).
+  // In dev (localhost), this is undefined — cookies work without an explicit domain.
+  let cookieDomain: string | undefined;
+  try {
+    const siteHost = new URL(env.SITE_URL).hostname;
+    if (siteHost !== "localhost") cookieDomain = `.${siteHost}`;
+  } catch {
+    // SITE_URL missing or malformed — fall back to default cookie domain
+  }
+
   const auth = betterAuth({
     database: drizzleAdapter(db, {
       provider: "sqlite",
       schema: authSchema,
     }),
-    baseURL: env.BETTER_AUTH_URL,
+    baseURL,
     secret: env.BETTER_AUTH_SECRET,
     emailAndPassword: {
       enabled: true,
@@ -66,6 +77,12 @@ export function createAuth(db: Database, env: Bindings) {
     },
     // Accept requests from any origin — Camox sites run on arbitrary customer domains
     trustedOrigins: ["*"],
+    advanced: {
+      crossSubDomainCookies: {
+        enabled: true,
+        domain: cookieDomain,
+      },
+    },
     plugins: [organization(), crossDomain({ siteUrl: env.SITE_URL }), oneTimeToken(), bearer()],
     databaseHooks: {
       user: {
@@ -105,6 +122,7 @@ export const authRoutes = new Hono<AppEnv>()
     }),
   )
   .on(["POST", "GET"], "/*", async (c) => {
-    const auth = createAuth(c.var.db, c.env);
+    const url = new URL(c.req.url);
+    const auth = createAuth(c.var.db, c.env, url.origin);
     return auth.handler(c.req.raw);
   });

package/src/routes/block-definitions.ts

@@ -1,15 +1,16 @@
-import { ORPCError } from "@orpc/server";
 import { and, eq } from "drizzle-orm";
 import { z } from "zod";
 
+import { assertSyncSecret } from "../authorization";
 import { resolveEnvironment } from "../lib/resolve-environment";
-import { pub, synced } from "../orpc";
-import { blockDefinitions, projects } from "../schema";
+import { pub } from "../orpc";
+import { blockDefinitions } from "../schema";
 
 // --- Procedures ---
 
 const definitionSchema = z.object({
   projectSlug: z.string(),
+  syncSecret: z.string(),
   blockId: z.string(),
   title: z.string(),
   description: z.string(),
@@ -22,6 +23,7 @@ const definitionSchema = z.object({
 
 const syncSchema = z.object({
   projectSlug: z.string(),
+  syncSecret: z.string(),
   definitions: z.array(
     z.object({
       blockId: z.string(),
@@ -54,14 +56,9 @@ const list = pub.input(z.object({ projectId: z.number() })).handler(async ({ con
   return result;
 });
 
-const sync = synced.input(syncSchema).handler(async ({ context, input }) => {
+const sync = pub.input(syncSchema).handler(async ({ context, input }) => {
   const { projectSlug, definitions } = input;
-  const project = await context.db
-    .select()
-    .from(projects)
-    .where(eq(projects.slug, projectSlug))
-    .get();
-  if (!project) throw new ORPCError("NOT_FOUND");
+  const project = await assertSyncSecret(context.db, projectSlug, input.syncSecret);
   const projectId = project.id;
   const environment = await resolveEnvironment(context.db, projectId, context.environmentName, {
     autoCreate: true,
@@ -125,14 +122,9 @@ const sync = synced.input(syncSchema).handler(async ({ context, input }) => {
   return { results, environmentCreated: environment.created };
 });
 
-const upsert = synced.input(definitionSchema).handler(async ({ context, input }) => {
-  const { projectSlug, ...body } = input;
-  const project = await context.db
-    .select()
-    .from(projects)
-    .where(eq(projects.slug, projectSlug))
-    .get();
-  if (!project) throw new ORPCError("NOT_FOUND");
+const upsert = pub.input(definitionSchema).handler(async ({ context, input }) => {
+  const { projectSlug, syncSecret: _, ...body } = input;
+  const project = await assertSyncSecret(context.db, projectSlug, input.syncSecret);
   const projectId = project.id;
   const environment = await resolveEnvironment(context.db, projectId, context.environmentName, {
     autoCreate: true,
@@ -188,16 +180,11 @@ const upsert = synced.input(definitionSchema).handler(async ({ context, input })
   return { ...result, action: "created" as const };
 });
 
-const deleteFn = synced
-  .input(z.object({ projectSlug: z.string(), blockId: z.string() }))
+const deleteFn = pub
+  .input(z.object({ projectSlug: z.string(), syncSecret: z.string(), blockId: z.string() }))
   .handler(async ({ context, input }) => {
     const { projectSlug, blockId } = input;
-    const project = await context.db
-      .select()
-      .from(projects)
-      .where(eq(projects.slug, projectSlug))
-      .get();
-    if (!project) throw new ORPCError("NOT_FOUND");
+    const project = await assertSyncSecret(context.db, projectSlug, input.syncSecret);
     const environment = await resolveEnvironment(context.db, project.id, context.environmentName);
     const result = await context.db
       .delete(blockDefinitions)

package/src/routes/blocks.ts

@@ -20,7 +20,6 @@ import {
   files,
   layouts,
   member,
-  organizationTable,
   pages,
   projects,
   repeatableItems,
@@ -625,10 +624,9 @@ const deleteMany = authed
       .leftJoin(pages, eq(blocks.pageId, pages.id))
       .leftJoin(layouts, eq(blocks.layoutId, layouts.id))
       .innerJoin(projects, or(eq(projects.id, pages.projectId), eq(projects.id, layouts.projectId)))
-      .innerJoin(organizationTable, eq(organizationTable.slug, projects.organizationSlug))
       .innerJoin(
         member,
-        and(eq(member.organizationId, organizationTable.id), eq(member.userId, context.user.id)),
+        and(eq(member.organizationId, projects.organizationId), eq(member.userId, context.user.id)),
       )
       .where(inArray(blocks.id, blockIds));
     if (authorizedBlocks.length !== blockIds.length) {

package/src/routes/files.ts

@@ -13,7 +13,7 @@ import { queryKeys } from "../lib/query-keys";
 import { resolveEnvironment } from "../lib/resolve-environment";
 import { scheduleAiJob } from "../lib/schedule-ai-job";
 import { pub, authed } from "../orpc";
-import { blocks, files, member, organizationTable, projects, repeatableItems } from "../schema";
+import { blocks, files, member, projects, repeatableItems } from "../schema";
 import type { AppEnv } from "../types";
 
 // --- AI Executor ---
@@ -270,10 +270,9 @@ const deleteMany = authed
       .select({ id: files.id, blobId: files.blobId, projectId: files.projectId })
       .from(files)
       .innerJoin(projects, eq(projects.id, files.projectId))
-      .innerJoin(organizationTable, eq(organizationTable.slug, projects.organizationSlug))
       .innerJoin(
         member,
-        and(eq(member.organizationId, organizationTable.id), eq(member.userId, context.user.id)),
+        and(eq(member.organizationId, projects.organizationId), eq(member.userId, context.user.id)),
       )
       .where(inArray(files.id, ids));
 

package/src/routes/layouts.ts

@@ -1,13 +1,13 @@
-import { ORPCError } from "@orpc/server";
 import { and, eq } from "drizzle-orm";
 import { generateKeyBetween } from "fractional-indexing";
 import { z } from "zod";
 
+import { assertSyncSecret } from "../authorization";
 import { broadcastInvalidation } from "../lib/broadcast-invalidation";
 import { queryKeys } from "../lib/query-keys";
 import { resolveEnvironment } from "../lib/resolve-environment";
-import { pub, synced } from "../orpc";
-import { blocks, layouts, projects, repeatableItems } from "../schema";
+import { pub } from "../orpc";
+import { blocks, layouts, repeatableItems } from "../schema";
 
 // --- Procedures ---
 
@@ -21,6 +21,7 @@ const repeatableItemSeedSchema = z.object({
 
 const syncLayoutsSchema = z.object({
   projectSlug: z.string(),
+  syncSecret: z.string(),
   layouts: z.array(
     z.object({
       layoutId: z.string(),
@@ -47,18 +48,9 @@ const list = pub.input(z.object({ projectId: z.number() })).handler(async ({ con
     .where(and(eq(layouts.projectId, projectId), eq(layouts.environmentId, environment.id)));
 });
 
-const sync = synced.input(syncLayoutsSchema).handler(async ({ context, input }) => {
+const sync = pub.input(syncLayoutsSchema).handler(async ({ context, input }) => {
   const { projectSlug, layouts: layoutDefs } = input;
-  const project = await context.db
-    .select()
-    .from(projects)
-    .where(eq(projects.slug, projectSlug))
-    .get();
-
-  if (!project) {
-    throw new ORPCError("NOT_FOUND");
-  }
-
+  const project = await assertSyncSecret(context.db, projectSlug, input.syncSecret);
   const projectId = project.id;
   const environment = await resolveEnvironment(context.db, projectId, context.environmentName, {
     autoCreate: true,

package/src/routes/pages.ts

@@ -519,6 +519,23 @@ const list = pub.input(z.object({ projectId: z.number() })).handler(async ({ con
     .where(and(eq(pages.projectId, input.projectId), eq(pages.environmentId, environment.id)));
 });
 
+const listBySlug = pub
+  .input(z.object({ projectSlug: z.string() }))
+  .handler(async ({ context, input }) => {
+    const project = await context.db
+      .select()
+      .from(projects)
+      .where(eq(projects.slug, input.projectSlug))
+      .get();
+    if (!project) throw new ORPCError("NOT_FOUND");
+
+    const environment = await resolveEnvironment(context.db, project.id, context.environmentName);
+    return await context.db
+      .select()
+      .from(pages)
+      .where(and(eq(pages.projectId, project.id), eq(pages.environmentId, environment.id)));
+  });
+
 const get = pub.input(z.object({ id: z.number() })).handler(async ({ context, input }) => {
   const { id } = input;
   const result = await context.db.select().from(pages).where(eq(pages.id, id)).get();
@@ -806,6 +823,7 @@ export const pageProcedures = {
   getByPath,
   getStructure,
   list,
+  listBySlug,
   get,
   create,
   update,

package/src/routes/projects.ts

@@ -3,17 +3,25 @@ import { and, eq } from "drizzle-orm";
 import { generateKeyBetween } from "fractional-indexing";
 import { z } from "zod";
 
-import { assertOrgMembership, getAuthorizedProject } from "../authorization";
+import { assertOrgMembership, assertSyncSecret, getAuthorizedProject } from "../authorization";
 import { resolveEnvironment } from "../lib/resolve-environment";
 import { generateUniqueSlug } from "../lib/slug";
-import { authed, synced } from "../orpc";
-import { blocks, environments, layouts, pages, projects, repeatableItems } from "../schema";
+import { authed, pub } from "../orpc";
+import {
+  blocks,
+  environments,
+  layouts,
+  organizationTable,
+  pages,
+  projects,
+  repeatableItems,
+} from "../schema";
 
 // --- Procedures ---
 
 const createProjectSchema = z.object({
   name: z.string(),
-  organizationSlug: z.string(),
+  organizationId: z.string(),
 });
 
 const updateProjectSchema = z.object({
@@ -21,23 +29,23 @@ const updateProjectSchema = z.object({
 });
 
 const list = authed
-  .input(z.object({ organizationSlug: z.string() }))
+  .input(z.object({ organizationId: z.string() }))
   .handler(async ({ context, input }) => {
-    await assertOrgMembership(context.db, context.user.id, input.organizationSlug);
+    await assertOrgMembership(context.db, context.user.id, input.organizationId);
     return context.db
       .select()
       .from(projects)
-      .where(eq(projects.organizationSlug, input.organizationSlug));
+      .where(eq(projects.organizationId, input.organizationId));
   });
 
 const getFirst = authed
-  .input(z.object({ organizationSlug: z.string() }))
+  .input(z.object({ organizationId: z.string() }))
   .handler(async ({ context, input }) => {
-    await assertOrgMembership(context.db, context.user.id, input.organizationSlug);
+    await assertOrgMembership(context.db, context.user.id, input.organizationId);
     const result = await context.db
       .select()
       .from(projects)
-      .where(eq(projects.organizationSlug, input.organizationSlug))
+      .where(eq(projects.organizationId, input.organizationId))
       .limit(1)
       .get();
     if (!result) throw new ORPCError("NOT_FOUND");
@@ -48,24 +56,36 @@ const getBySlug = authed
   .input(z.object({ slug: z.string() }))
   .handler(async ({ context, input }) => {
     const result = await context.db
-      .select()
+      .select({
+        project: projects,
+        organizationSlug: organizationTable.slug,
+      })
       .from(projects)
+      .innerJoin(organizationTable, eq(organizationTable.id, projects.organizationId))
       .where(eq(projects.slug, input.slug))
       .get();
     if (!result) throw new ORPCError("NOT_FOUND");
-    await assertOrgMembership(context.db, context.user.id, result.organizationSlug);
-    return result;
+    await assertOrgMembership(context.db, context.user.id, result.project.organizationId);
+    return { ...result.project, organizationSlug: result.organizationSlug };
   });
 
 const get = authed.input(z.object({ id: z.number() })).handler(async ({ context, input }) => {
-  const result = await context.db.select().from(projects).where(eq(projects.id, input.id)).get();
+  const result = await context.db
+    .select({
+      project: projects,
+      organizationSlug: organizationTable.slug,
+    })
+    .from(projects)
+    .innerJoin(organizationTable, eq(organizationTable.id, projects.organizationId))
+    .where(eq(projects.id, input.id))
+    .get();
   if (!result) throw new ORPCError("NOT_FOUND");
-  await assertOrgMembership(context.db, context.user.id, result.organizationSlug);
-  return result;
+  await assertOrgMembership(context.db, context.user.id, result.project.organizationId);
+  return { ...result.project, organizationSlug: result.organizationSlug };
 });
 
 const create = authed.input(createProjectSchema).handler(async ({ context, input }) => {
-  await assertOrgMembership(context.db, context.user.id, input.organizationSlug);
+  await assertOrgMembership(context.db, context.user.id, input.organizationId);
 
   const slug = await generateUniqueSlug(context.db);
   const syncSecret = crypto.randomUUID();
@@ -77,7 +97,7 @@ const create = authed.input(createProjectSchema).handler(async ({ context, input
       name: input.name,
       slug,
       syncSecret,
-      organizationSlug: input.organizationSlug,
+      organizationId: input.organizationId,
       createdAt: now,
       updatedAt: now,
     })
@@ -131,6 +151,7 @@ const repeatableItemSeedSchema = z.object({
 
 const initializeContentSchema = z.object({
   projectSlug: z.string(),
+  syncSecret: z.string(),
   layoutId: z.string(),
   blocks: z.array(
     z.object({
@@ -142,118 +163,111 @@ const initializeContentSchema = z.object({
   ),
 });
 
-const initializeContent = synced
-  .input(initializeContentSchema)
-  .handler(async ({ context, input }) => {
-    const project = await context.db
-      .select()
-      .from(projects)
-      .where(eq(projects.slug, input.projectSlug))
-      .get();
-    if (!project) throw new ORPCError("NOT_FOUND");
+const initializeContent = pub.input(initializeContentSchema).handler(async ({ context, input }) => {
+  const project = await assertSyncSecret(context.db, input.projectSlug, input.syncSecret);
 
-    const environment = await resolveEnvironment(context.db, project.id, context.environmentName);
+  const environment = await resolveEnvironment(context.db, project.id, context.environmentName);
 
-    // Check if environment already has pages — if so, skip (idempotent)
-    const existingPage = await context.db
-      .select()
-      .from(pages)
-      .where(eq(pages.environmentId, environment.id))
-      .limit(1)
-      .get();
-    if (existingPage) {
-      return { created: false };
-    }
+  // Check if environment already has pages — if so, skip (idempotent)
+  const existingPage = await context.db
+    .select()
+    .from(pages)
+    .where(eq(pages.environmentId, environment.id))
+    .limit(1)
+    .get();
+  if (existingPage) {
+    return { created: false };
+  }
 
-    const now = Date.now();
+  const now = Date.now();
 
-    // Find the specified layout
-    const layout = await context.db
-      .select()
-      .from(layouts)
-      .where(
-        and(
-          eq(layouts.projectId, project.id),
-          eq(layouts.environmentId, environment.id),
-          eq(layouts.layoutId, input.layoutId),
-        ),
-      )
-      .get();
-    if (!layout) {
-      return { created: false };
-    }
+  // Find the specified layout
+  const layout = await context.db
+    .select()
+    .from(layouts)
+    .where(
+      and(
+        eq(layouts.projectId, project.id),
+        eq(layouts.environmentId, environment.id),
+        eq(layouts.layoutId, input.layoutId),
+      ),
+    )
+    .get();
+  if (!layout) {
+    return { created: false };
+  }
+
+  // Create homepage
+  const homepage = await context.db
+    .insert(pages)
+    .values({
+      projectId: project.id,
+      environmentId: environment.id,
+      pathSegment: "",
+      fullPath: "/",
+      layoutId: layout.id,
+      metaTitle: "Untitled page",
+      metaDescription:
+        "Title and description will be generated by AI as you edit the page's content.",
+      createdAt: now,
+      updatedAt: now,
+    })
+    .returning()
+    .get();
 
-    // Create homepage
-    const homepage = await context.db
-      .insert(pages)
+  // Create blocks on the homepage
+  let prevPosition: string | null = null;
+  let blockCount = 0;
+
+  for (const blockDef of input.blocks) {
+    const position = generateKeyBetween(prevPosition, null);
+    prevPosition = position;
+
+    const block = await context.db
+      .insert(blocks)
       .values({
-        projectId: project.id,
-        environmentId: environment.id,
-        pathSegment: "",
-        fullPath: "/",
-        layoutId: layout.id,
-        metaTitle: "Untitled page",
-        metaDescription:
-          "Title and description will be generated by AI as you edit the page's content.",
+        pageId: homepage.id,
+        type: blockDef.type,
+        content: blockDef.content,
+        settings: blockDef.settings ?? null,
+        position,
+        summary: "",
         createdAt: now,
         updatedAt: now,
       })
       .returning()
       .get();
 
-    // Create blocks on the homepage
-    let prevPosition: string | null = null;
-    let blockCount = 0;
-
-    for (const blockDef of input.blocks) {
-      const position = generateKeyBetween(prevPosition, null);
-      prevPosition = position;
-
-      const block = await context.db
-        .insert(blocks)
-        .values({
-          pageId: homepage.id,
-          type: blockDef.type,
-          content: blockDef.content,
-          settings: blockDef.settings ?? null,
-          position,
-          summary: "",
-          createdAt: now,
-          updatedAt: now,
-        })
-        .returning()
-        .get();
-
-      const itemSeeds = blockDef.repeatableItems;
-      if (itemSeeds && itemSeeds.length > 0) {
-        const tempIdToRealId = new Map<string, number>();
-        for (const seed of itemSeeds) {
-          const parentItemId = seed.parentTempId
-            ? (tempIdToRealId.get(seed.parentTempId) ?? null)
-            : null;
-          const inserted = await context.db
-            .insert(repeatableItems)
-            .values({
-              blockId: block.id,
-              parentItemId,
-              fieldName: seed.fieldName,
-              content: seed.content,
-              summary: "",
-              position: seed.position,
-              createdAt: now,
-              updatedAt: now,
-            })
-            .returning()
-            .get();
-          tempIdToRealId.set(seed.tempId, inserted.id);
-        }
+    const itemSeeds = blockDef.repeatableItems;
+    if (itemSeeds && itemSeeds.length > 0) {
+      const tempIdToRealId = new Map<string, number>();
+      for (const seed of itemSeeds) {
+        const parentItemId = seed.parentTempId
+          ? (tempIdToRealId.get(seed.parentTempId) ?? null)
+          : null;
+        const inserted = await context.db
+          .insert(repeatableItems)
+          .values({
+            blockId: block.id,
+            parentItemId,
+            fieldName: seed.fieldName,
+            content: seed.content,
+            summary: "",
+            position: seed.position,
+            createdAt: now,
+            updatedAt: now,
+          })
+          .returning()
+          .get();
+        tempIdToRealId.set(seed.tempId, inserted.id);
       }
-
-      blockCount++;
     }
 
-    return { created: true, pageId: homepage.id, blockCount };
-  });
+    blockCount++;
+  }
+
+  return { created: true, pageId: homepage.id, blockCount };
+});
 
 export const projectProcedures = {
   list,

package/src/schema.ts

@@ -97,13 +97,15 @@ export const projects = sqliteTable(
     slug: text().notNull(),
     name: text().notNull(),
     syncSecret: text("sync_secret").notNull().default(""),
-    organizationSlug: text("organization_slug").notNull(),
+    organizationId: text("organization_id")
+      .notNull()
+      .references(() => organizationTable.id),
     createdAt: int("created_at").notNull(),
     updatedAt: int("updated_at").notNull(),
   },
   (table) => [
     uniqueIndex("projects_slug_idx").on(table.slug),
-    index("projects_organization_idx").on(table.organizationSlug),
+    index("projects_organization_idx").on(table.organizationId),
   ],
 );
 

package/src/types.ts

@@ -5,7 +5,6 @@ import type { Auth } from "./routes/auth";
 export type Bindings = {
   DB: D1Database;
   BETTER_AUTH_SECRET: string;
-  BETTER_AUTH_URL: string;
   GITHUB_CLIENT_ID: string;
   GITHUB_CLIENT_SECRET: string;
   GOOGLE_CLIENT_ID: string;
@@ -15,7 +14,6 @@ export type Bindings = {
   AI_JOB_SCHEDULER: DurableObjectNamespace;
   ProjectRoom: DurableObjectNamespace;
   FILES_BUCKET: R2Bucket;
-  SYNC_SECRET: string;
 };
 
 export type AppEnv = {